关键词: 深度神经网络, 通用扰动, 特定标签攻击, 后门攻击, 后门防御

Abstract: Recent studies have shown that deep neural network (DNN) is vulnerable to backdoor attacks, which are stealthy and powerful enough to allow the model to output the results expected by the attacker. To address the problem that current research on defense against backdoor attacks requires high computational overhead while also affecting the accuracy of the model, a generic perturbation-based defense framework is proposed, which combines the detection of backdoors with the elimination of backdoors. The detection phase generates generic  perturbations for the sample set that cause the model to misclassify benign samples without affecting the backdoor samples, and accomplishes the efficient detection of backdoor samples by comparing the changes in the model's output before and after the addition of the perturbations to the samples to be detected. In the elimination stage, the detected backdoor samples are reconstructed using the random primary color overlay method and mixing with the benign samples to deduplicate and train the backdoor model. The framework is validated on MNIST, Fashion-MNIST, and CIFAR-10 datasets to verify the effectiveness of the framework in terms of the effects of different trigger designs, poisoning ratios on the defense, and the defense effect for specific label attacks. Experimental results demonstrate that the framework not only significantly reduces the success rate of backdoor attacks under various conditions but also has minimal impact on the classification performance of benign samples. Additionally, compared to previous studies, it shows substantial improvements in defending against specific label attacks.

Key words: deep neural network(DNN);generic , perturbation;specific label attack;backdoor attack;backdoor defense